AWS Secrets Manager

It lets you store secrets (passwords, API keys, …) in a secure way. It’s usable via console, CLI, API or SDK.

Secrets Manager has similar functionality as SSM Parameter Store, but it adds more:

Automatic rotation of secrets using Lambda: a function is periodically invoked and rotates the secret but you need to manage the rotation inside the services that use the secret.
Managed rotation, where Secrets Manager also updates values in the service for the following services:
- RDS: master user credentials.
- Aurora: master user credentials.
- ECS: for the rotation of the AWS Private CA TLS certificates.
- Redshift: admin passwords.

What really makes it different from SSM Parameter Store is that it also focuses on secrets rotation, either via Lambda or with a direct integration.

It works with KMS, so permissions must also be granted for KMS keys.

Multi-region Secrets

Secrets can be replicated and synced across regions.

Useful for:

Failover on region failure
Applications that span multiple regions, like certain setups of RDS/Aurora.
Disaster Recovery